EditWYSIWYGAttachPrintable
r5 - 17 Jul 2002 - 17:08:05 - DaleBraydenYou are here: TWiki >  Support Web > SanitisingHTML
Tags:
, create new tag

Question

How do I control which HTML tags are used in user topics? I want to prevent <script> tags for a start.

  • TWiki version: 01 Dec 2001
  • Web server: any
  • Server OS: any
  • Web browser: any
  • Client OS: any

-- MartinEllison - 10 Apr 2002

Answer

This is currently not in TWiki. You can however filter certain tags in a Plugin. Write your own plugin or add the filter to the DefaultPlugin, function startRenderingHandler: 

    # filter out all scripts
    $_[0] =~ s/<script>.*?<\/script>//gois;

Note that this will filter out any scripts, including TWiki's own like JavascriptBasedEditor. (This code has not been tested)

-- PeterThoeny - 11 Apr 2002

Yes, something along these lines seems to work, although I prefer to list the tags that are allowed and delete the others.

-- MartinEllison - 11 Apr 2002

See also DisableHTML

-- PeterThoeny - 17 Apr 2002

I'm not sure how valuable it is to simply filter out script tags. Many tags allow onxxxxx="code", so an attacker could simply put in an anchor tag, add an onmouseover="do lots o' nasty stuff", and wouldn't be at all restricted by the absence of script tags.

-- DaleBrayden - 17 Jul 2002

WebForm
SupportStatus AnsweredQuestions
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r5 < r4 < r3 < r2 < r1 | More topic actions
Support.SanitisingHTML moved from Support.SantitisingHTML on 17 Apr 2002 - 05:43 by PeterThoeny - put it back
 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback SourceForge.net Logo